Cryptanalysis of the CRUSH Hash Function

  • Matt Henricksen
  • Lars R. Knudsen
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4876)


Iterated Halving has been suggested as a replacement to the Merkle-Damgård construction following attacks on the MDx family of hash functions. The core of the scheme is an iterated block cipher that provides keying and input material for future rounds. The CRUSH hash function provides a specific instantiation of the block cipher for Iterated Halving. In this paper, we identify structural problems with the scheme, and show that by using a bijective function, such as the block cipher used in CRUSH or the AES, we can trivially identify collisions and second preimages on many equal-length messages of length ten blocks or more. The cost is ten decryptions of the block cipher, this being less than the generation of a single digest. We show that even if Iterated Halving is repaired, the construction has practical issues that means it is not suitable for general deployment. We conclude this paper with the somewhat obvious statement that CRUSH, and more generally Iterated Halving, should not be used.


CRUSH Iterated Halving Hash Functions Cryptanalysis Collisions Second preimages 


  1. 1.
    Daemen, J., Rijmen, V.: The Design of Rijndael: AES—the Advanced Encryption Standard. Springer, Heidelberg (2002)zbMATHGoogle Scholar
  2. 2.
    Damgård, I.: A Design Principle for Hash Functions. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 416–427. Springer, Heidelberg (1990)Google Scholar
  3. 3.
    Gauravaram, P.: Cryptographic Hash Functions: Cryptanlaysis, Design and Applications. PhD Thesis, Information Security Institute, Faculty of Information Technology, Queensland Unversity of Technology (2007)Google Scholar
  4. 4.
    Gauravaram, P., Millan, W., Dawson, E.P., Viswanathan, K.: Constructing Secure Hash Functions by Enhancing Merkle-Damgård Construction. In: Batten, L.M., Safavi-Naini, R. (eds.) ACISP 2006. LNCS, vol. 4058, pp. 407–420. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  5. 5.
    Gauravaram, P., Millan, W., May, L.: CRUSH: A New Cryptographic Hash Function Using Iterated Halving Technique. In: Cryptographic Algorithms and Their Uses, QUT, pp. 28–39 (July 2004)Google Scholar
  6. 6.
    Wang, X., Lai, X., Feng, D., Chen, H., Yu, X.: Cryptanalysis of the Hash Functions MD4 and RIPEMD. In: Cramer, R.J.F. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 1–18. Springer, Heidelberg (2005)Google Scholar
  7. 7.
    Wang, X., Yin, Y.L., Yu, H.: Finding Collisions in the Full SHA-1. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 17–36. Springer, Heidelberg (2005)Google Scholar
  8. 8.
    Wang, X., Yu, H.: How to Break MD5 and Other Hash Functions. In: Cramer, R.J.F. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 19–35. Springer, Heidelberg (2005)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2007

Authors and Affiliations

  • Matt Henricksen
    • 1
  • Lars R. Knudsen
    • 2
  1. 1.Institute for Infocomm Research, A*STARSingapore
  2. 2.Department of Mathematics, Technical University of Denmark, DK-2800 Kgs. LyngbyDenmark

Personalised recommendations